CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 25 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-7076 | Cri | 0.64 | 9.8 | 0.00 | Sep 4, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Blind SQL Injection. This issue affects Semtek Sempos: through 31072024. | ||
| CVE-2024-6919 | Cri | 0.64 | 9.8 | 0.00 | Sep 2, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Blind SQL Injection. This issue affects NACPremium: through 01082024. | ||
| CVE-2024-7071 | Cri | 0.64 | 9.8 | 0.00 | Aug 27, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows SQL Injection. This issue affects Brain Low-Code: before 2.1.0. | ||
| CVE-2024-8161 | Cri | 0.64 | 9.8 | 0.00 | Aug 26, 2024 | SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information… | ||
| CVE-2024-33872 | Cri | 0.64 | 9.8 | 0.00 | Aug 20, 2024 | Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges. | ||
| CVE-2024-6699 | Cri | 0.64 | 9.8 | 0.00 | Jul 30, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection. This issue affects Mikafon MA7: from v3.0 before v3.1. | ||
| CVE-2024-0857 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Universal Software Inc. FlexWater Corporate Water Management allows SQL Injection. This issue affects FlexWater Corporate Water Management: before 5.452.0. | ||
| CVE-2024-6457 | Cri | 0.64 | 9.8 | 0.20 | Jul 16, 2024 | The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of… | ||
| CVE-2024-27709 | Cri | 0.64 | 9.8 | 0.01 | Jul 5, 2024 | SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component. | ||
| CVE-2024-4228 | Cri | 0.64 | 9.8 | 0.00 | Jun 26, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL… | ||
| CVE-2024-36681 | Cri | 0.64 | 9.8 | 0.01 | Jun 24, 2024 | SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods. | ||
| CVE-2024-34988 | Cri | 0.64 | 9.8 | 0.00 | Jun 24, 2024 | SQL injection vulnerability in the module "Complete for Create a Quote in Frontend + Backend Pro" (askforaquotemodul) <= 1.0.51 from Buy Addons for PrestaShop allows attackers to view sensitive information and cause other impacts via methods… | ||
| CVE-2024-34989 | Cri | 0.64 | 9.8 | 0.00 | Jun 21, 2024 | In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().' | ||
| CVE-2024-6027 | Cri | 0.64 | 9.8 | 0.01 | Jun 21, 2024 | The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation… | ||
| CVE-2024-37699 | Cri | 0.64 | 9.8 | 0.00 | Jun 20, 2024 | An issue in DataLife Engine v.17.1 and before is vulnerable to SQL Injection in dboption. | ||
| CVE-2024-34994 | Cri | 0.64 | 9.8 | 0.00 | Jun 19, 2024 | In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`. | ||
| CVE-2024-4295 | Cri | 0.64 | 9.8 | 0.10 | Jun 5, 2024 | The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing… | ||
| CVE-2024-5311 | Cri | 0.64 | 9.8 | 0.01 | Jun 3, 2024 | DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records. | ||
| CVE-2024-3200 | Cri | 0.64 | 9.9 | 0.00 | Jun 1, 2024 | The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL… | ||
| CVE-2024-1100 | Cri | 0.64 | 9.8 | 0.00 | May 30, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vadi Corporate Information Systems DIGIKENT GIS allows SQL Injection. This issue affects DIGIKENT GIS: through 2.23.5. |
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Blind SQL Injection. This issue affects Semtek Sempos: through 31072024.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Blind SQL Injection. This issue affects NACPremium: through 01082024.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows SQL Injection. This issue affects Brain Low-Code: before 2.1.0.
- risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information…
- risk 0.64cvss 9.8epss 0.00
Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection. This issue affects Mikafon MA7: from v3.0 before v3.1.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Universal Software Inc. FlexWater Corporate Water Management allows SQL Injection. This issue affects FlexWater Corporate Water Management: before 5.452.0.
- risk 0.64cvss 9.8epss 0.20
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of…
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL…
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.
- risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in the module "Complete for Create a Quote in Frontend + Backend Pro" (askforaquotemodul) <= 1.0.51 from Buy Addons for PrestaShop allows attackers to view sensitive information and cause other impacts via methods…
- risk 0.64cvss 9.8epss 0.00
In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'
- risk 0.64cvss 9.8epss 0.01
The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation…
- risk 0.64cvss 9.8epss 0.00
An issue in DataLife Engine v.17.1 and before is vulnerable to SQL Injection in dboption.
- risk 0.64cvss 9.8epss 0.00
In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`.
- risk 0.64cvss 9.8epss 0.10
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing…
- risk 0.64cvss 9.8epss 0.01
DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.
- risk 0.64cvss 9.9epss 0.00
The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vadi Corporate Information Systems DIGIKENT GIS allows SQL Injection. This issue affects DIGIKENT GIS: through 2.23.5.